Ken, * Ken Tanzer (ken.tanzer@xxxxxxxxx) wrote: > Hi. I'm wondering if it is possible to disable use of \! to execute > commands in psql? I see this has come up on the list before > (http://archives.postgresql.org/pgsql-admin/2007-07/msg00242.php), but I > don't see anyone saying whether it is possible or not, just that it's a > bad or useless idea. It'd be difficult to close all the holes and would result in seriously reduced functionality to your users. > It may or may not be a bad idea (e.g., carry some risk). My scenario is > that I'd like to give people that I don't necessarily know (or therefore > trust) the ability to run psql for a database I've already set up for > them. I set their login shell to psql, so they can simply ssh in, and > they are in psql. From there, though, they can do a simple \! > /bin/bash, and they've got way more access than I want them to. You can port-forward the database port through SSH (so you'd only expose port 22 to the internet) and then have the clients run psql on their system. That would let them use things like \copy, which is extremely useful. > So is there any way to disable the "\!" stuff? If there's a better way > to go about this, I suppose I'm all ears too! Yes, listen to the suggestions made by myself and others.. Disabling \! wouldn't be enough and the more you hack on psql to disable things to become a 'secure' database shell, the more annoyed and frustrated your users will end up being. Have you considered something like linux containers or vservers instead? Thanks, Stephen
Attachment:
signature.asc
Description: Digital signature
